CN114398618B - Authentication method and device for equipment identity, electronic equipment and storage medium - Google Patents
Authentication method and device for equipment identity, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114398618B CN114398618B CN202111370808.5A CN202111370808A CN114398618B CN 114398618 B CN114398618 B CN 114398618B CN 202111370808 A CN202111370808 A CN 202111370808A CN 114398618 B CN114398618 B CN 114398618B
- Authority
- CN
- China
- Prior art keywords
- trusted
- proving
- node
- authentication
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000005540 biological transmission Effects 0.000 claims description 29
- 238000004364 calculation method Methods 0.000 claims description 24
- 238000004891 communication Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 238000010276 construction Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses an equipment identity authentication method, an equipment identity authentication device, electronic equipment and a storage medium. The method comprises the following steps: receiving an identity authentication request sent by user equipment; calling each trusted node of the trusted node set to execute authentication operation corresponding to the identity authentication request to obtain an initial proving information tree corresponding to the trusted node set; transmitting the initial proving information tree to the user equipment so that the user equipment can conduct re-authentication on the initial proving information tree; and receiving the target proving information tree sent by the user equipment, and storing the target proving information tree to each trusted node. The method builds the trusted node of the tree hierarchy structure, and before distributed operation, identity authentication operation is carried out between the trusted node and the user equipment, so that the user equipment can carry out the distributed operation in the cloud computing platform. Meanwhile, the trusted node is in a trusted environment, so that the operation content is invisible to the cloud computing platform, and the confidentiality and the integrity of the operation are protected.
Description
Technical Field
The present disclosure relates to the field of cloud computing technologies, and in particular, to an apparatus identity authentication method and apparatus, an electronic device, and a storage medium.
Background
Security and trust are extremely important requirements in cloud computing, and how to protect applications and data hosted by users on cloud platforms from theft by cloud service providers and other attackers has been a challenge. One possible solution is to implement a Trusted Execution Environment (TEE) using confidential computing technology so that the data remains encrypted and strongly isolated at all times, thus ensuring the security and privacy of the user data.
In 2013, intel corporation proposed a new processor security technology SGX (software guard extensions) that can provide a trusted execution environment for user space on a computing platform, ensuring confidentiality and integrity of user key codes and data. SGX technology has become an important solution to the cloud computing security problem since its proposal.
In the TEE research field, easy-to-use adaptation modes such as library operating system LibOS, automatic program segmentation, etc. have emerged. In the LibOS embodiment, SGX is taken as an example, and includes Graphene, SCONE, occlum and the like more typically.
SGX proposes two types of identity authentication modes, namely authentication between the enclaspes in the platform, wherein the authentication is used for authenticating whether the enclaspes for reporting and the authentication are operated on the same platform or not; the other is remote authentication between platforms, and is used for authenticating identity information of the enclave by a remote authenticator.
In a distributed operating system (e.g., mapReduce), remote identity authentication is required between nodes, and the nodes are proved to be in the trusted running environment of Occlum. The trusted channel needs to be established between every two, the communication quantity is large, the structure is complex, and meanwhile, the time for constructing the trusted distributed operating system is long.
Disclosure of Invention
In order to solve the technical problems or at least partially solve the technical problems, the application provides an equipment identity authentication method, an equipment identity authentication device, electronic equipment and a storage medium.
According to an aspect of the embodiments of the present application, there is provided an authentication method of an equipment identity, applied to a cloud computing platform, the method including:
receiving an identity authentication request sent by user equipment, wherein the identity authentication request is used for requesting authentication of a trusted node set deployed in the cloud computing platform and used for executing distributed computation, and the trusted node set comprises a plurality of cascaded trusted nodes;
Invoking each trusted node of the trusted node set to execute an authentication operation corresponding to the identity authentication request to obtain an initial proving information tree corresponding to the trusted node set, wherein the initial proving information tree comprises: the corresponding certification information of each trusted node;
transmitting the initial proving information tree to the user equipment so that the user equipment can conduct re-authentication on the initial proving information tree;
and receiving a target proving information tree sent by the user equipment, and storing the target proving information tree into each trusted node, wherein the target proving information tree is obtained after the user equipment authenticates the initial proving information tree again.
Further, the trusted node set includes: the system comprises a trusted root node, a trusted relay node and a trusted leaf node, wherein the trusted root node is connected with at least two trusted relay nodes, and the trusted relay node is used for being connected with at least two trusted leaf nodes;
before each trusted node of the set of trusted nodes is invoked to perform an authentication operation corresponding to the identity authentication request, the method further comprises:
establishing a first transmission channel between the user equipment and the trusted root node based on a preset key exchange protocol, and generating a first key;
Establishing a second transmission channel between the trusted root node and the trusted relay node based on the preset key exchange protocol, and generating a second key;
and establishing a third transmission channel between the trusted relay node and the trusted leaf node based on the preset key exchange protocol, and generating a third key.
Further, the step of calling each trusted node of the trusted node set to execute the authentication operation corresponding to the identity authentication request to obtain an initial proof information tree corresponding to the trusted node set includes:
issuing the identity authentication request to the trusted relay point and the trusted leaf node through the trusted root node;
the trusted leaf node executes a first authentication operation according to the identity authentication request to obtain first authentication information corresponding to the trusted leaf node, encrypts the first authentication information by using the third key and sends the first authentication information to the trusted relay node through a third transmission channel;
the trusted relay node decrypts the first authentication information encrypted by all the trusted leaf nodes, sends the decrypted first authentication information to a proving center for proving, obtains a first proving result, and generates a first proving information tree according to the first proving result;
The trusted relay node executes a second authentication operation according to the identity authentication request to obtain second authentication information corresponding to the trusted relay node;
the trusted relay node encrypts the second authentication information and the first proving information tree by using the second key and sends the second authentication information and the first proving information tree to the trusted root node through a second transmission channel;
the trusted root node decrypts the second authentication information and the first proving information tree encrypted by all the trusted relay nodes, sends the decrypted second authentication information to a proving center to obtain a second proving result, and generates a second proving information tree according to the second proving result and the first proving information tree;
and the trusted root node executes a third authentication operation according to the identity authentication request to obtain third authentication information corresponding to the trusted root node, adds the third authentication information to the second proving information tree to obtain the initial proving information tree, encrypts the initial proving information tree by using the first key and sends the encrypted initial proving information tree to user equipment.
Further, the trusted leaf node executes a first authentication operation according to the identity authentication request to obtain first authentication information corresponding to the trusted leaf node, including:
The trusted leaf node generates a first authentication code by using a symmetric key of a reference enclave, and sends the first authentication code to the reference enclave so that the reference enclave verifies the first authentication code;
the trusted leaf node receives a first reference structure and a first signature fed back by the reference enclave, wherein the first reference structure and the first signature are obtained after the reference enclave verifies the first authentication code;
the first reference structure and the first signature are determined to be the first authentication information.
Further, the trusted relay node executes a second authentication operation according to the identity authentication request to obtain second authentication information corresponding to the trusted relay node, including:
the trusted relay node sends a first proving request to third party proving equipment to obtain a first proving result, wherein the first proving request is used for proving first authentication information of the trusted leaf node;
when the first authentication information of the trusted leaf node is confirmed to pass through according to the first proving result, the trusted relay node generates a second authentication code by using a symmetric key of a reference enclave, and the second authentication code and the first proving information tree are sent to the reference enclave so that the reference enclave verifies the second authentication code;
The trusted relay node receives a second reference structure and a second signature fed back by the reference enclave, wherein the second reference structure and the second signature are obtained after the reference enclave verifies the second authentication code;
the second reference structure and the second signature are determined to be the second authentication information.
Further, the trusted root node executes a third authentication operation according to the identity authentication request to obtain third authentication information corresponding to the trusted root node, including:
the trusted root node sends a second proving request to third party proving equipment to obtain a second proving result, wherein the second proving request is used for proving second authentication information of the trusted relay node;
when the second authentication information of the trusted relay node is confirmed to pass through according to the second proving result, the trusted root node generates a third authentication code by utilizing a symmetric key of a reference enclave, and the third authentication code and the second proving information tree are sent to the reference enclave so that the reference enclave verifies the third authentication code;
the trusted root node receives a third reference structure and a third signature fed back by the reference enclave, wherein the third reference structure and the third signature are obtained after the reference enclave verifies the third authentication code;
Determining the third reference structure and the third signature as the third authentication information.
Further, after receiving the target proving information tree sent by the user equipment and storing the target proving information tree in the respective trusted nodes, the method further includes:
receiving a distributed computing request sent by the user equipment, wherein the distributed computing request carries target data sent by the user equipment and a distribution mode corresponding to the target data;
the target data is sent to the trusted relay node by the trusted root node according to the distribution mode, and the trusted relay node sends the target data to the trusted leaf node according to the distribution mode;
the trusted leaf node performs distributed computation on the target data to obtain a first computation result, and the first computation result is sent to the trusted relay node;
the trusted relay node gathers the first calculation results to obtain second calculation results, and sends the second calculation results to the trusted root node;
and the trusted root node gathers the second calculation results to obtain third calculation results, and sends the third calculation results to the user equipment.
According to another aspect of the embodiments of the present application, there is also provided an apparatus for authenticating an identity of a device, including:
the system comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving an identity authentication request sent by user equipment, the identity authentication request is used for requesting authentication of a trusted node set which is deployed in the cloud computing platform and used for executing distributed computation, and the trusted node set comprises a plurality of cascaded trusted nodes;
the calling module is used for calling each trusted node of the trusted node set to execute the authentication operation corresponding to the identity authentication request to obtain an initial proving information tree corresponding to the trusted node set, wherein the initial proving information tree comprises: the corresponding certification information of each trusted node;
the sending module is used for sending the initial proving information tree to the user equipment so that the user equipment can conduct re-authentication on the initial proving information tree;
and the storage module is used for receiving a target proving information tree sent by the user equipment and storing the target proving information tree into each trusted node, wherein the target proving information tree is obtained after the user equipment authenticates the initial proving information tree again.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program that performs the steps described above when running.
According to another aspect of the embodiments of the present application, there is provided an electronic device including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; wherein: a memory for storing a computer program; and a processor for executing the steps of the method by running a program stored on the memory.
Embodiments of the present application also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of the above method.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages: the method builds the trusted node of the tree hierarchy structure, and before distributed operation, identity authentication operation is carried out between the trusted node and the user equipment, so that the user equipment can carry out the distributed operation in the cloud computing platform. Meanwhile, the trusted node is in a trusted environment, so that the operation content is invisible to the cloud computing platform, and the confidentiality and the integrity of the operation are protected.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flowchart of an authentication method of an equipment identity according to an embodiment of the present application;
fig. 2 is a schematic diagram of an identity authentication framework provided in an embodiment of the present application;
fig. 3 is a flowchart of an authentication method of an equipment identity according to another embodiment of the present application;
fig. 4 is a flowchart of an authentication method of an equipment identity according to another embodiment of the present application;
fig. 5 is a flowchart of an authentication method of an equipment identity according to another embodiment of the present application;
fig. 6 is a block diagram of an authentication apparatus for equipment identity according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments, the exemplary embodiments of the present application and the descriptions thereof are used to explain the present application and do not constitute undue limitations of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another similar entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The embodiment of the application provides an equipment identity authentication method, an equipment identity authentication device, electronic equipment and a storage medium. The method provided by the embodiment of the invention can be applied to any needed electronic equipment, for example, the electronic equipment can be a server, a terminal and the like, is not particularly limited, and is convenient to describe and is called as the electronic equipment for short hereinafter.
According to an aspect of the embodiments of the present application, a method embodiment of an authentication method for an equipment identity is provided. Fig. 1 is a flowchart of an authentication method of an equipment identity according to an embodiment of the present application, as shown in fig. 1, where the method includes:
step S11, an identity authentication request sent by user equipment is received, wherein the identity authentication request is used for requesting authentication of a trusted node set which is deployed in a cloud computing platform and used for executing distributed computation, and the trusted node set comprises a plurality of cascaded trusted nodes.
In the embodiment of the application, when the user equipment has a distributed computing service, the user equipment sends identity authentication to a cloud computing platform, wherein the cloud computing platform comprises a trusted node set for executing distributed computing, and the trusted node set comprises: the plurality of cascaded trusted nodes, as shown in fig. 2, are: the system comprises a trusted root node, a trusted relay node and a trusted leaf node, wherein the trusted root node is connected with at least two trusted relay nodes, and the trusted relay node is used for being connected with at least two trusted leaf nodes.
In this embodiment of the present application, before each trusted node of the set of trusted nodes is invoked to perform an authentication operation corresponding to an identity authentication request, the cloud computing platform establishes a transmission signal with the user equipment, and establishes a transmission channel between each node inside the cloud computing platform, as shown in fig. 3, the method further includes the following steps A1-A3:
step A1, a first transmission channel between user equipment and a trusted root node is established based on a preset key exchange protocol, and a first key is generated.
And step A2, establishing a second transmission channel between the trusted root node and the trusted relay node based on a preset key exchange protocol, and generating a second key.
And step A3, establishing a third transmission channel between the trusted relay node and the trusted leaf node based on a preset key exchange protocol, and generating a third key.
Step S12, each trusted node of the trusted node set is called to execute authentication operation corresponding to the identity authentication request, and an initial proving information tree corresponding to the trusted node set is obtained, wherein the initial proving information tree comprises: and the certification information corresponding to each trusted node.
In this embodiment of the present application, step S12, invoking each trusted node of the trusted node set to perform an authentication operation corresponding to the identity authentication request, to obtain an initial proof information tree corresponding to the trusted node set, as shown in fig. 4, includes the following steps B1-B5:
And step B1, issuing an identity authentication request to the trusted relay point and the trusted leaf node through the trusted root node.
And step B2, the trusted leaf node executes a first authentication operation according to the identity authentication request to obtain first authentication information corresponding to the trusted leaf node, encrypts the first authentication information by using a third key and sends the first authentication information to the trusted relay node through a third transmission channel.
In the embodiment of the present application, step B2, the trusted leaf node performs a first authentication operation according to the identity authentication request, to obtain first authentication information corresponding to the trusted leaf node, and includes the following steps B201-B203:
step B201, the trusted leaf node generates a first authentication code by using a symmetric key of a reference enclave, and sends the first authentication code to the reference enclave so that the reference enclave verifies the first authentication code.
Step B202, the trusted leaf node receives a first reference structure and a first signature fed back by the reference enclave, wherein the first reference structure and the first signature are obtained after the reference enclave verifies the first authentication code.
Step B203, determining the first reference structure and the first signature as first authentication information.
In the embodiment of the application, the trusted leaf node executes the identity authentication request, and the identity of the trusted leaf node and the additional information are combined to generate the REPORT structure. The trusted leaf node generates a MAC using the Report symmetric key of the quatingenclave. The trusted leaf node sends the REPORT structure and MAC to the quatingenclave. The Quotengencleave uses own Report symmetric key to verify whether the trusted leaf node runs on the same cloud computing platform, then encapsulates the trusted leaf node into a reference structure body (first reference body structure), signs the private key of the corresponding trusted leaf node registered in a third party trusted proving center (first signature), and determines the first reference structure body and the first signature as first authentication information.
And B3, decrypting the first authentication information encrypted by all the trusted leaf nodes by the trusted relay node, sending the decrypted first authentication information to a proving center for proving, obtaining a first proving result, and generating a first proving information tree according to the first proving result.
And step B4, the trusted relay node executes a second authentication operation according to the identity authentication request to obtain second authentication information corresponding to the trusted relay node.
In the embodiment of the present application, step B4, the trusted relay node performs a second authentication operation according to the identity authentication request, to obtain second authentication information corresponding to the trusted relay node, and includes the following steps B401-B404:
And step B401, the trusted relay node sends a first proving request to the third party proving equipment to obtain a first proving result, wherein the first proving request is used for proving the first authentication information of the trusted leaf node.
And step B402, when the first authentication information of the trusted leaf node is confirmed to pass through according to the first proving result, the trusted relay node generates a second authentication code by using the symmetric key of the reference enclave, and the second authentication code and the first proving information tree are sent to the reference enclave so that the reference enclave verifies the second authentication code.
And step B403, the trusted relay node receives a second reference structure and a second signature fed back by the reference enclave, wherein the second reference structure and the second signature are obtained after the reference enclave verifies the second authentication code.
Step B404, determining the second reference structure and the second signature as second authentication information.
In the embodiment of the application, the trusted relay node verifies the identity of the trusted leaf node through a third party trusted proving center and generates corresponding trusted leaf node proving information. The trusted relay node builds a remote proving Hash tree, adds all trusted leaf node proving information connected with the remote proving Hash tree, and calculates the trusted leaf node proving information Hash tree.
And the trusted relay node executes an EREPORT instruction, and combines the identity of the trusted relay node with the additional information to generate a REPORT structure. The trusted relay node generates a MAC using the Report symmetric key of the quatingenclave. The trusted relay node sends the REPORT structure and MAC to the quatingenclave. The Quotengencleave uses own Report symmetric key to verify whether the trusted relay node runs on the same platform, then encapsulates the trusted relay node into a reference structure (second reference structure), adds a remote proof Hash tree as user data to the reference structure, signs the remote proof Hash tree with a private key (second signature) of the corresponding trusted relay node registered in a third party trusted proof center, and determines the second reference structure and the second signature as second authentication information.
And then the trusted relay node encrypts the second authentication information by adopting a second key, and sends the encrypted authentication information to the trusted root node through a second transmission channel.
And step B5, the trusted relay node encrypts the second authentication information and the first proving information tree by using the second key and sends the second authentication information and the first proving information tree to the trusted root node through a second transmission channel.
And B6, decrypting the encrypted second authentication information and the first proving information tree of all the trusted relay nodes by the trusted root node, sending the decrypted second authentication information to the proving center to obtain a second proving result, and generating a second proving information tree according to the second proving result and the first proving information tree.
And B7, the trusted root node executes a third authentication operation according to the identity authentication request to obtain third authentication information corresponding to the trusted root node, the third authentication information is added in the second proving information tree to obtain an initial proving information tree, the initial proving information tree is encrypted by using the first key, and the encrypted initial proving information tree is sent to the user equipment.
In the embodiment of the present application, step B7, the trusted root node performs a third authentication operation according to the identity authentication request, to obtain third authentication information corresponding to the trusted root node, and includes the following steps B701-B704:
step B701, the trusted root node sends a second proving request to the third party proving equipment to obtain a second proving result, wherein the second proving request is used for proving second authentication information of the trusted relay node;
and step B702, when the second authentication information of the trusted relay node is confirmed to pass through according to the second proving result, the trusted root node generates a third authentication code by using the symmetric key of the reference enclave, and the third authentication code and the second proving information tree are sent to the reference enclave so that the reference enclave verifies the third authentication code.
In step B703, the trusted root node receives a third reference structure and a third signature fed back by the reference enclave, where the third reference structure and the third signature are obtained after the reference enclave verifies the third authentication code.
Step B704, determining the third reference structure and the third signature as third authentication information.
In the embodiment of the application, the trusted root node adds all the trusted relay node proving information connected with the trusted root node to a remote proving Hash tree to generate the trusted relay node proving information Hash. The trusted root node executes the EREPORT instruction, and the identity of the trusted root node and the additional information are combined to generate a REPORT structure.
The trusted root node generates a MAC using the Report symmetric key of the quantingencleave. The trusted root node sends the REPORT structure and MAC to the quatingenclave. The Quotengencleave uses own Report symmetric key to verify whether the trusted root node runs on the same platform, then encapsulates the trusted root node into a reference structure (third reference structure), adds a remote proof Hash tree as user data to the reference structure, signs the remote proof Hash tree with the private key of the corresponding trusted root node registered in a third party trusted proof center (third signature), and determines the third reference structure and the third signature as third authentication information.
And then the trusted root node encrypts the third authentication information by using the first key, and sends the encrypted authentication information to the trusted root node through a first transmission channel.
And step S13, the initial proving information tree is sent to the user equipment, so that the user equipment can conduct re-authentication on the initial proving information tree.
In the embodiment of the application, the user equipment verifies the identity of the trusted root node through the third-party trusted proving center and generates corresponding trusted root node proving information. The user adds the trusted root node proving information to the remote proving Hash tree, and calculates proving information Hash. The user sends the remote proof Hash tree to a trusted root node, a trusted relay node and a trusted leaf node in the distributed operating system.
And step S14, receiving a target proving information tree sent by the user equipment, and storing the target proving information tree into each trusted node, wherein the target proving information tree is obtained after the user equipment re-authenticates the initial proving information tree.
The method builds the trusted node of the tree hierarchy structure, and before distributed operation, identity authentication operation is carried out between the trusted node and the user equipment, so that the user equipment can carry out the distributed operation in the cloud computing platform. Meanwhile, the trusted node is in a trusted environment, so that the operation content is invisible to the cloud computing platform, and the confidentiality and the integrity of the operation are protected.
In this embodiment of the present application, after receiving the target proving information tree sent by the user equipment and storing the target proving information tree in each trusted node, as shown in fig. 5, the method further includes:
step S21, a distributed computing request sent by the user equipment is received, wherein the distributed computing request carries target data sent by the user equipment and a distribution mode corresponding to the target data.
And S22, transmitting the target data to the trusted relay node by using the trusted root node according to the distribution mode, and transmitting the target data to the trusted leaf node by using the trusted relay node according to the distribution mode.
Step S23, the trusted leaf node performs distributed computation on the target data to obtain a first computation result, and the first computation result is sent to the trusted relay node.
And step S24, the trusted relay node gathers the first calculation results to obtain second calculation results, and sends the second calculation results to the trusted root node.
And S25, the trusted root node gathers the second calculation results to obtain a third calculation result, and sends the third calculation result to the user equipment.
In the embodiment of the application, the user equipment generates a temporary key, encrypts data and a key code by using the temporary key, encrypts the temporary key by using a first key and then sends the encrypted temporary key to the trusted root node. And the trusted root node distributes the encrypted data to the trusted relay node according to the data distribution mode appointed by the user equipment.
The trusted root node sends the encrypted key code to the trusted relay node. The trusted root node decrypts the temporary key by using the first key, encrypts the temporary key by using the second key respectively, and distributes the temporary key to the trusted relay node respectively.
And the trusted relay node distributes encrypted data to the trusted leaf node according to a data distribution mode appointed by the user equipment. The trusted relay node sends the encrypted key code to the trusted leaf node. The trusted relay node decrypts the temporary key by using the second key, encrypts the temporary key by using the third key respectively, and distributes the temporary key to the trusted leaf nodes respectively.
The trusted leaf node decrypts the temporary key by the corresponding third key, and decrypts the data and the key code by the temporary key. And the trusted leaf node performs distributed operation on the data according to the key codes and generates corresponding results. And encrypting the result by using the third key and transmitting the result to the trusted relay node. And the trusted relay node decrypts by using the third key, performs summarization operation on the operation result, encrypts by using the second key and sends the operation result to the trusted root node. The trusted root node decrypts the operation result of the trusted relay node by using the second key, performs summarization operation on the operation result, and encrypts and sends the operation result to the user equipment by using the first key. And the user equipment decrypts by using the first key to obtain a final distributed operation result.
Fig. 6 is a block diagram of an apparatus for authenticating identity of a device according to an embodiment of the present application, where the apparatus may be implemented as part or all of an electronic device by software, hardware, or a combination of both. As shown in fig. 6, the apparatus includes:
the receiving module 51 is configured to receive an identity authentication request sent by a user equipment, where the identity authentication request is used to request authentication of a trusted node set deployed in a cloud computing platform and used to perform distributed computing, and the trusted node set includes a plurality of cascaded trusted nodes.
The calling module 52 is configured to call each trusted node of the trusted node set to perform an authentication operation corresponding to the identity authentication request, and obtain an initial proof information tree corresponding to the trusted node set, where the initial proof information tree includes: and the certification information corresponding to each trusted node.
And the sending module 53 is configured to send the initial proof information tree to the user equipment, so that the user equipment authenticates the initial proof information tree again.
And the storage module 54 is configured to receive a target proving information tree sent by the user equipment, and store the target proving information tree to each trusted node, where the target proving information tree is obtained after the user equipment re-authenticates the initial proving information tree.
In an embodiment of the present application, the trusted node set includes: the system comprises a trusted root node, a trusted relay node and a trusted leaf node, wherein the trusted root node is connected with at least two trusted relay nodes, and the trusted relay node is used for being connected with at least two trusted leaf nodes;
in the embodiment of the present application, the authentication device of equipment identity further includes: the construction module is used for establishing a first transmission channel between the user equipment and the trusted root node based on a preset key exchange protocol and generating a first key; establishing a second transmission channel between the trusted root node and the trusted relay node based on a preset key exchange protocol, and generating a second key; and establishing a third transmission channel between the trusted relay node and the trusted leaf node based on a preset key exchange protocol, and generating a third key.
In the embodiment of the present application, the calling module 52 includes:
the sending sub-module is used for sending the identity authentication request to the trusted relay point and the trusted leaf node through the trusted root node;
the first execution sub-module is used for the trusted leaf node to execute a first authentication operation according to the identity authentication request to obtain first authentication information corresponding to the trusted leaf node, encrypts the first authentication information by using a third key and sends the first authentication information to the trusted relay node through a third transmission channel;
The first processing sub-module is used for decrypting the first authentication information encrypted by all the trusted leaf nodes of the trusted relay node, sending the decrypted first authentication information to the proving center for proving, obtaining a first proving result, and generating a first proving information tree according to the first proving result
The second execution sub-module is used for the trusted relay node to execute a second authentication operation according to the identity authentication request to obtain second authentication information corresponding to the trusted relay node;
a second processing sub-module, configured to encrypt the second authentication information and the first certificate information tree by using a second key by using the trusted relay node, and send the encrypted second authentication information and the first certificate information tree to the trusted root node through a second transmission channel
The third execution sub-module is used for decrypting the second authentication information and the first proving information tree encrypted by all the trusted relay nodes of the trusted root node, sending the decrypted second authentication information to the proving center to obtain a second proving result, and generating a second proving information tree according to the second proving result and the first proving information tree;
and the fourth execution sub-module is used for the trusted root node to execute a third authentication operation according to the identity authentication request to obtain third authentication information corresponding to the trusted root node, adding the third authentication information into the second proving information tree to obtain an initial proving information tree, encrypting the initial proving information tree by using the first key and sending the encrypted initial proving information tree to the user equipment.
In the embodiment of the application, the first execution submodule is used for generating a first authentication code by the trusted leaf node through a symmetric key of the reference enclave, and sending the first authentication code to the reference enclave so that the reference enclave can verify the first authentication code; the trusted leaf node receives a first reference structure and a first signature fed back by the reference enclave, wherein the first reference structure and the first signature are obtained after the reference enclave verifies a first authentication code; the first reference structure and the first signature are determined to be first authentication information.
In the embodiment of the application, the second execution submodule is used for sending a first proving request to the third party proving equipment by the trusted relay node to obtain a first proving result, wherein the first proving request is used for proving the first authentication information of the trusted leaf node; when the first authentication information of the trusted leaf node is confirmed to pass through according to the first proving result, the trusted relay node generates a second authentication code by using a symmetric key of the quoted enclave, and the second authentication code and the first proving information tree are sent to the quoted enclave so that the quoted enclave verifies the second authentication code; the trusted relay node receives a second reference structure and a second signature fed back by the reference enclave, wherein the second reference structure and the second signature are obtained after the reference enclave verifies a second authentication code; the second reference structure and the second signature are determined to be second authentication information.
In the embodiment of the application, the third execution submodule is configured to send a second certification request to the third party certification device by using the trusted root node to obtain a second certification result, where the second certification request is used to certify second authentication information of the trusted relay node; when the second authentication information of the trusted relay node is confirmed to pass through according to the second proving result, the trusted root node generates a third authentication code by utilizing the symmetric key of the quoted enclave, and the third authentication code and the second proving information tree are sent to the quoted enclave so that the quoted enclave verifies the third authentication code; the trusted root node receives a third reference structure and a third signature fed back by the reference enclave, wherein the third reference structure and the third signature are obtained after the reference enclave verifies a third authentication code; the third reference structure and the third signature are determined as third authentication information.
In the embodiment of the present application, the authentication device of equipment identity further includes: the computing module is used for receiving a distributed computing request sent by the user equipment, wherein the distributed computing request carries target data sent by the user equipment and a distribution mode corresponding to the target data; the method comprises the steps that target data are sent to a trusted relay node by a trusted root node according to a distribution mode, and the trusted relay node sends the target data to a trusted leaf node according to the distribution mode; the trusted leaf node performs distributed computation on the target data to obtain a first computation result, and sends the first computation result to the trusted relay node; the trusted relay node gathers the first calculation results to obtain second calculation results, and sends the second calculation results to the trusted root node; and the trusted root node gathers the second calculation results to obtain third calculation results, and sends the third calculation results to the user equipment.
The embodiment of the application further provides an electronic device, as shown in fig. 7, where the electronic device may include: the device comprises a processor 1501, a communication interface 1502, a memory 1503 and a communication bus 1504, wherein the processor 1501, the communication interface 1502 and the memory 1503 are in communication with each other through the communication bus 1504.
A memory 1503 for storing a computer program;
the processor 1501, when executing the computer program stored in the memory 1503, implements the steps of the above embodiments.
The communication bus mentioned by the above terminal may be a peripheral component interconnect standard (Peripheral Component Interconnect, abbreviated as PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated as EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the terminal and other devices.
The memory may include random access memory (Random Access Memory, RAM) or non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided herein, a computer readable storage medium is provided, in which instructions are stored, which when run on a computer, cause the computer to perform the method for authenticating an identity of a device according to any one of the above embodiments.
In a further embodiment provided herein, there is also provided a computer program product containing instructions that, when run on a computer, cause the computer to perform the method of authenticating an identity of a device as described in any of the above embodiments.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk), etc.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the present application. Any modifications, equivalent substitutions, improvements, etc. that are within the spirit and principles of the present application are intended to be included within the scope of the present application.
The foregoing is merely a specific embodiment of the application to enable one skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. An authentication method of equipment identity, which is applied to a cloud computing platform, the method comprising:
receiving an identity authentication request sent by user equipment, wherein the identity authentication request is used for requesting authentication of a trusted node set deployed in the cloud computing platform and used for executing distributed computation, and the trusted node set comprises a plurality of cascaded trusted nodes;
Invoking each trusted node of the trusted node set to execute an authentication operation corresponding to the identity authentication request to obtain an initial proving information tree corresponding to the trusted node set, wherein the initial proving information tree comprises: the corresponding certification information of each trusted node;
transmitting the initial proving information tree to the user equipment so that the user equipment can conduct re-authentication on the initial proving information tree;
receiving a target proving information tree sent by the user equipment, and storing the target proving information tree into each trusted node, wherein the target proving information tree is obtained after the user equipment authenticates the initial proving information tree again;
the trusted node set comprises: the system comprises a trusted root node, a trusted relay node and a trusted leaf node, wherein the trusted root node is connected with at least two trusted relay nodes, and the trusted relay node is used for being connected with at least two trusted leaf nodes;
before each trusted node of the set of trusted nodes is invoked to perform an authentication operation corresponding to the identity authentication request, the method further comprises:
establishing a first transmission channel between the user equipment and the trusted root node based on a preset key exchange protocol, and generating a first key;
Establishing a second transmission channel between the trusted root node and the trusted relay node based on the preset key exchange protocol, and generating a second key;
establishing a third transmission channel between the trusted relay node and the trusted leaf node based on the preset key exchange protocol, and generating a third key;
the step of calling each trusted node of the trusted node set to execute the authentication operation corresponding to the identity authentication request to obtain an initial proving information tree corresponding to the trusted node set, comprising the following steps:
issuing the identity authentication request to the trusted relay node and the trusted leaf node through the trusted root node;
the trusted leaf node executes a first authentication operation according to the identity authentication request to obtain first authentication information corresponding to the trusted leaf node, encrypts the first authentication information by using the third key and sends the first authentication information to the trusted relay node through a third transmission channel;
the trusted relay node decrypts the first authentication information encrypted by all the trusted leaf nodes, sends the decrypted first authentication information to a proving center for proving, obtains a first proving result, and generates a first proving information tree according to the first proving result;
The trusted relay node executes a second authentication operation according to the identity authentication request to obtain second authentication information corresponding to the trusted relay node;
the trusted relay node encrypts the second authentication information and the first proving information tree by using the second key and sends the second authentication information and the first proving information tree to the trusted root node through a second transmission channel;
the trusted root node decrypts the second authentication information and the first proving information tree encrypted by all the trusted relay nodes, sends the decrypted second authentication information to a proving center to obtain a second proving result, and generates a second proving information tree according to the second proving result and the first proving information tree;
and the trusted root node executes a third authentication operation according to the identity authentication request to obtain third authentication information corresponding to the trusted root node, adds the third authentication information to the second proving information tree to obtain the initial proving information tree, encrypts the initial proving information tree by using the first key and sends the encrypted initial proving information tree to user equipment.
2. The method of claim 1, wherein the trusted leaf node performs a first authentication operation according to the identity authentication request to obtain first authentication information corresponding to the trusted leaf node, including:
The trusted leaf node generates a first authentication code by using a symmetric key of a reference enclave, and sends the first authentication code to the reference enclave so that the reference enclave verifies the first authentication code;
the trusted leaf node receives a first reference structure and a first signature fed back by the reference enclave, wherein the first reference structure and the first signature are obtained after the reference enclave verifies the first authentication code;
the first reference structure and the first signature are determined to be the first authentication information.
3. The method of claim 1, wherein the trusted relay node performs a second authentication operation according to the identity authentication request to obtain second authentication information corresponding to the trusted relay node, including:
the trusted relay node sends a first proving request to third party proving equipment to obtain a first proving result, wherein the first proving request is used for proving first authentication information of the trusted leaf node;
when the first authentication information of the trusted leaf node is confirmed to pass through according to the first proving result, the trusted relay node generates a second authentication code by using a symmetric key of a reference enclave, and the second authentication code and the first proving information tree are sent to the reference enclave so that the reference enclave verifies the second authentication code;
The trusted relay node receives a second reference structure and a second signature fed back by the reference enclave, wherein the second reference structure and the second signature are obtained after the reference enclave verifies the second authentication code;
the second reference structure and the second signature are determined to be the second authentication information.
4. The method of claim 1, wherein the trusted root node performs a third authentication operation according to the identity authentication request to obtain third authentication information corresponding to the trusted root node, including:
the trusted root node sends a second proving request to third party proving equipment to obtain a second proving result, wherein the second proving request is used for proving second authentication information of the trusted relay node;
when the second authentication information of the trusted relay node is confirmed to pass through according to the second proving result, the trusted root node generates a third authentication code by utilizing a symmetric key of a reference enclave, and the third authentication code and the second proving information tree are sent to the reference enclave so that the reference enclave verifies the third authentication code;
The trusted root node receives a third reference structure and a third signature fed back by the reference enclave, wherein the third reference structure and the third signature are obtained after the reference enclave verifies the third authentication code;
determining the third reference structure and the third signature as the third authentication information.
5. The method of claim 1, wherein after receiving the target attestation information tree sent by the user device and storing the target attestation information tree in the respective trusted nodes, the method further comprises:
receiving a distributed computing request sent by the user equipment, wherein the distributed computing request carries target data sent by the user equipment and a distribution mode corresponding to the target data;
the target data is sent to the trusted relay node by the trusted root node according to the distribution mode, and the trusted relay node sends the target data to the trusted leaf node according to the distribution mode;
the trusted leaf node performs distributed computation on the target data to obtain a first computation result, and the first computation result is sent to the trusted relay node;
The trusted relay node gathers the first calculation results to obtain second calculation results, and sends the second calculation results to the trusted root node;
and the trusted root node gathers the second calculation results to obtain third calculation results, and sends the third calculation results to the user equipment.
6. An apparatus for authenticating an identity of a device, comprising:
the system comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving an identity authentication request sent by user equipment, the identity authentication request is used for requesting authentication of a trusted node set which is deployed in a cloud computing platform and used for executing distributed computation, and the trusted node set comprises a plurality of cascaded trusted nodes;
the calling module is used for calling each trusted node of the trusted node set to execute the authentication operation corresponding to the identity authentication request to obtain an initial proving information tree corresponding to the trusted node set, wherein the initial proving information tree comprises: the corresponding certification information of each trusted node;
the sending module is used for sending the initial proving information tree to the user equipment so that the user equipment can conduct re-authentication on the initial proving information tree;
The storage module is used for receiving a target proving information tree sent by the user equipment and storing the target proving information tree into each trusted node, wherein the target proving information tree is obtained after the user equipment authenticates the initial proving information tree again;
the trusted node set comprises: the system comprises a trusted root node, a trusted relay node and a trusted leaf node, wherein the trusted root node is connected with at least two trusted relay nodes, and the trusted relay node is used for being connected with at least two trusted leaf nodes;
the authentication device of the equipment identity further comprises: the construction module is used for establishing a first transmission channel between the user equipment and the trusted root node based on a preset key exchange protocol and generating a first key; establishing a second transmission channel between the trusted root node and the trusted relay node based on a preset key exchange protocol, and generating a second key; establishing a third transmission channel between the trusted relay node and the trusted leaf node based on a preset key exchange protocol, and generating a third key;
a calling module, comprising:
the sending sub-module is used for sending the identity authentication request to the trusted relay node and the trusted leaf node through the trusted root node;
The first execution sub-module is used for the trusted leaf node to execute a first authentication operation according to the identity authentication request to obtain first authentication information corresponding to the trusted leaf node, encrypts the first authentication information by using a third key and sends the first authentication information to the trusted relay node through a third transmission channel;
the first processing sub-module is used for decrypting the first authentication information encrypted by all the trusted leaf nodes of the trusted relay node, sending the decrypted first authentication information to the proving center for proving, obtaining a first proving result, and generating a first proving information tree according to the first proving result
The second execution sub-module is used for the trusted relay node to execute a second authentication operation according to the identity authentication request to obtain second authentication information corresponding to the trusted relay node;
a second processing sub-module, configured to encrypt the second authentication information and the first certificate information tree by using a second key by using the trusted relay node, and send the encrypted second authentication information and the first certificate information tree to the trusted root node through a second transmission channel
The third execution sub-module is used for decrypting the second authentication information and the first proving information tree encrypted by all the trusted relay nodes of the trusted root node, sending the decrypted second authentication information to the proving center to obtain a second proving result, and generating a second proving information tree according to the second proving result and the first proving information tree;
And the fourth execution sub-module is used for the trusted root node to execute a third authentication operation according to the identity authentication request to obtain third authentication information corresponding to the trusted root node, adding the third authentication information into the second proving information tree to obtain an initial proving information tree, encrypting the initial proving information tree by using the first key and sending the encrypted initial proving information tree to the user equipment.
7. A storage medium comprising a stored program, wherein the program, when run, performs the method of any one of the preceding claims 1 to 5 by a processor.
8. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; wherein:
a memory for storing a computer program;
a processor for performing the method of any of claims 1-5 by running a program stored on a memory.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111370808.5A CN114398618B (en) | 2021-11-18 | 2021-11-18 | Authentication method and device for equipment identity, electronic equipment and storage medium |
| PCT/CN2022/121850 WO2023087930A1 (en) | 2021-11-18 | 2022-09-27 | Equipment identity authentication method and apparatus, electronic device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111370808.5A CN114398618B (en) | 2021-11-18 | 2021-11-18 | Authentication method and device for equipment identity, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114398618A CN114398618A (en) | 2022-04-26 |
| CN114398618B true CN114398618B (en) | 2024-01-30 |
Family
ID=81225890
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111370808.5A Active CN114398618B (en) | 2021-11-18 | 2021-11-18 | Authentication method and device for equipment identity, electronic equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114398618B (en) |
| WO (1) | WO2023087930A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114398618B (en) * | 2021-11-18 | 2024-01-30 | 苏州浪潮智能科技有限公司 | Authentication method and device for equipment identity, electronic equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113067626A (en) * | 2021-03-15 | 2021-07-02 | 西安电子科技大学 | Unmanned system bee colony credibility certification method based on edge computing |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10552138B2 (en) * | 2016-06-12 | 2020-02-04 | Intel Corporation | Technologies for secure software update using bundles and merkle signatures |
| WO2020052751A1 (en) * | 2018-09-12 | 2020-03-19 | Huawei Technologies Co., Ltd. | Device and method for attesting distributed services |
| CN110046507B (en) * | 2018-12-12 | 2024-02-06 | 创新先进技术有限公司 | Method and device for forming trusted computing cluster |
| KR102205654B1 (en) * | 2019-05-20 | 2021-01-21 | (주)누리텔레콤 | Authentication method in a distributed circumstance |
| CN113329012B (en) * | 2021-05-28 | 2022-07-26 | 交叉信息核心技术研究院(西安)有限公司 | Rapid authentication method and system for trusted execution environment |
| CN114398618B (en) * | 2021-11-18 | 2024-01-30 | 苏州浪潮智能科技有限公司 | Authentication method and device for equipment identity, electronic equipment and storage medium |
-
2021
- 2021-11-18 CN CN202111370808.5A patent/CN114398618B/en active Active
-
2022
- 2022-09-27 WO PCT/CN2022/121850 patent/WO2023087930A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113067626A (en) * | 2021-03-15 | 2021-07-02 | 西安电子科技大学 | Unmanned system bee colony credibility certification method based on edge computing |
Non-Patent Citations (3)
| Title |
|---|
| 一种保护隐私的高效远程验证机制;徐梓耀;贺也平;邓灵莉;;软件学报(第02期);第339-351页 * |
| 动态Huffman树平台配置远程证明方案;付东来;彭新光;陈够喜;杨秋翔;;计算机应用(第08期);第2275-2279页 * |
| 基于Chameleon哈希改进的平台配置远程证明机制;付东来;彭新光;;计算机科学(第01期);第118-121页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023087930A1 (en) | 2023-05-25 |
| CN114398618A (en) | 2022-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750591B2 (en) | Key attestation statement generation providing device anonymity | |
| CN108512846B (en) | Bidirectional authentication method and device between terminal and server | |
| WO2021022701A1 (en) | Information transmission method and apparatus, client terminal, server, and storage medium | |
| US10826704B2 (en) | Blockchain key storage on SIM devices | |
| US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
| JP5980961B2 (en) | Multi-factor certificate authority | |
| US20160080157A1 (en) | Network authentication method for secure electronic transactions | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| CN112637836B (en) | Data processing method and device, electronic equipment and storage medium | |
| US9396339B2 (en) | Protecting computers using an identity-based router | |
| US20220191693A1 (en) | Remote management of hardware security modules | |
| CN114547583A (en) | Identity authentication system, method, device, equipment and computer readable storage medium | |
| CN107040501B (en) | Authentication method and device based on platform as a service | |
| CN114398618B (en) | Authentication method and device for equipment identity, electronic equipment and storage medium | |
| CN111414640A (en) | Key access control method and device | |
| CN113282951A (en) | Security verification method, device and equipment for application program | |
| Zubair et al. | A hybrid algorithm-based optimization protocol to ensure data security in the cloud | |
| CN111901102B (en) | Data transmission method, electronic device, and readable storage medium | |
| JP2019057827A (en) | Distributed authentication system and program | |
| CN115065457B (en) | Data query method and device | |
| CN116561820B (en) | Trusted data processing method and related device | |
| US20230229752A1 (en) | Attestation of application identity for inter-app communications | |
| JP7310003B2 (en) | Remote authentication method and device | |
| CN114866409B (en) | Password acceleration method and device based on password acceleration hardware | |
| CN117675244A (en) | Task key distribution method and device based on cluster environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |